Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.
Published: 2026-07-01
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Appointment Booking Calendar plugin for WordPress contains a missing authorization flaw in the cpabc_appointments_filter_list function. This allows authenticated users with contributor-level access or higher to retrieve internal booking details, including customer names, email addresses, phone numbers, appointment comments, and other personally identifiable information. The impact is a breach of confidentiality, exposing sensitive user data through a straightforward privilege escalation within the plugin.

Affected Systems

The vulnerability affects the codepeople Appointment Booking Calendar plugin for WordPress versions up to and including 1.4.02. All installations that have not applied a newer release are potentially vulnerable. WordPress sites that rely on this plugin should verify the version in use and determine whether it falls within the affected range. The plugin is commonly installed on small business and scheduling applications that require staff and clients to manage appointments.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Attackers only need to be authenticated as contributors or higher, so the exploitation path is straightforward: log in with an existing contributor account and request appointment data via the plugin’s exposed filter list. The lack of a hard restriction on data exposure means that any authenticated user in the affected role can see all bookings held on the site.

Generated by OpenCVE AI on July 1, 2026 at 08:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Appointment Booking Calendar plugin to the latest available version, any release newer than 1.4.02, to remove the missing authorization check.
  • If an upgrade cannot be performed immediately, block or disable the cpabc_appointments_filter_list endpoint by restricting access to that functionality to administrators only, or use a firewall rule to block API calls to the offending paths.
  • Review the WordPress user roles and capabilities on the site; remove contributor-level accounts when they are not required, and ensure that only roles with higher privileges retain access to the plugin’s appointment data endpoints.

Generated by OpenCVE AI on July 1, 2026 at 08:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.
Title Appointment Booking Calendar <= 1.4.02 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T04:32:26.135Z

Reserved: 2026-06-12T14:41:49.325Z

Link: CVE-2026-12113

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses